All that is needed now is to import the boot image and the restore image into ConfigMgr.

]]>http://blog.ctglobalservices.com/configuration-manager-sccm/heh/deploying-mac-os-x-devices-with-configmgr-and-parallels/feed/0Managing Mac OS X devices with ConfigMgr and Parallelshttp://blog.ctglobalservices.com/configuration-manager-sccm/heh/managing-mac-os-x-devices-with-configmgr-and-parallels/
http://blog.ctglobalservices.com/configuration-manager-sccm/heh/managing-mac-os-x-devices-with-configmgr-and-parallels/#respondTue, 22 Dec 2015 12:03:39 +0000http://blog.coretech.dk/?p=10040Xmas is not far away now, but before we hit that one special holiday during the year I want to throw one more blog out into cyberspace.

Managing those Mac OS X devices once and for all!

ConfigMgr 2012 started out with a proposed solution to how we could start managing those silver things from the Apple company, it just wasnt quite as easy as we would like it to be. We needed all kinds of special little configs and tweaks to be made and on top of it we needed to bring in the PKI infrastructure with a transition of our Site System Roles to HTTPS. So for many that had Mac OS X devices as a minority, well they didnt bother.

But… Now, believe it or not! There is an easy way for us to actually get them into ConfigMgr, register them, support them and even deploy them! With the same kind of structure as we know it from our windows devices.

Parallels Mac Management for SCCM or ConfigMgr as i prefer to call it.

What the Parallels product brings to ConfigMgr is actually 2 types of roles:

Configuration Manager Proxy

Netboot Server

The Parallels Configuration Manager Proxy is the role that integrates with ConfigMgr and allows us to manage the Mac OS X devices in our environment and most importantly – we can do it in HTTP mode. And its in no way a complicated installation as long as you do your prerequisite work properly, just like we do before installing ConfigMgr itself. Some small operations to be done in Active Directory and perhaps even a service account if you dont want to run with Local System.

The Parallels Netboot Server is the role that together with the Distribution Point, having PXE enabled, allows you to actually deploy Mac OS X version to the Apple devices with a special boot image, OS X reference image and a Task Sequence! Brilliant!

With the 2 above roles we are avle bring the following features to the Mac OS X clients:

FileVault 2 Encryption Management (Encrypt those apple devices like we do on our windows devices)

So to say it frankly – there is no longer any excuse for us to not manage these Mac OS X devices. The above mentioned solution and the features that follow are exactly what we need to start controlling the devices and ensuring that they are also managed.

This blog post is the part 1 of 2 blog posts – and as you can see it’s all about introductions. Power BI is not a “new” thing, it’s been around for some time but is really just now starting to take off.

So what is Power BI? It’s a new online service for us to get insight of our SCCM data, and for us to further display data internally or to others. Previous versions was a coop between Power BI and Office 365, but now we have Power BI as an online service by itself. It even comes in a Desktop version that allows you to connect and build data sources locally from your device.

How can it help me working with SCCM?A big wish from many administrators is an simple and understandable way to show the work and effort we put into acquiring the data that we gather in SCCM. They are constantly asked to provide visual evidence for services provided and time spent. Whether it’s Inventory, Health, Compliance or Deployment data we have had some possibilities to do just that with built-in reporting tools, but in my opinion its been heavy, slow and tiresome to work with. Can Power BI replace all that? No not quite, because there are still dashboard solutions out there that might be more fitting to the individual needs. But if you asked me if I would spend time building Reports in SCCM with the report builder or visual studio? I’d answer no – there’s Power BI!

And how does it work? If you have worked with SQL Reporting Service for SCCM or perhaps even Power Query for Excel (Now built-in with Office 2016) then you know the dataset’s to be the foundation of these. It’s still the same, and we can even reuse the exact same queries in order work with the same data, but in a way that brings us many more options in terms of visual creativity and dynamics.

The way that we connect to the data are numerous, but it goes with out saying that the direct SQL connections is what the most would look into, we just need a way to access it with account rights etc.

So to end this part 1, I hope that I’ve planted a seed of interest and perhaps you will even have looked at Power BI before you get the chance to read part 2 that will come later, with en example and a template for you all to use as a startingline for racing forwards into the Power BI world.

So stay tuned to our xmas blog calendar, still so much cool stuff for us to share with you all.

Merry xmas!

]]>http://blog.ctglobalservices.com/configuration-manager-sccm/heh/when-power-bi-met-the-sccm-community/feed/1Wsyncmgr.log: The request failed with HTTP status 503http://blog.ctglobalservices.com/configuration-manager-sccm/heh/wsyncmgr-log-the-request-failed-with-http-status-503/
http://blog.ctglobalservices.com/configuration-manager-sccm/heh/wsyncmgr-log-the-request-failed-with-http-status-503/#respondTue, 31 Mar 2015 05:57:21 +0000http://blog.coretech.dk/?p=8645Kent have blogged about WSUS maintenance before – its important so that we don’t hit problems like the one I’m about to share with you, so make sure you do something about it – Link.

“The request failed with HTTP status 503: Status Unavailable” in this case the source is a stored procedure running (Microsoft.UpdateServices.Internal.ApiRemoting.ExecuteSPGetUpdatesThatSupersedeUpdate).

The wsyncmgr.log snippet above is an example of the WSUS sync failing because the IIS Application Pool had stopped.

The reason for it stopping is that the amount of private memory allowed to the application pool had hit the roof, and when that happens the service stops and nothing works in regards to WSUS. The default limit is set to 1.8Gb, increasing that will allow the WSUS to work through the amount of data as it increases in age and size.

Set the private memory to a value between 6 and 12 Gb and start the application pool again. After that the WSUS sync should go through and everything should fall back into working order.

]]>http://blog.ctglobalservices.com/configuration-manager-sccm/heh/wsyncmgr-log-the-request-failed-with-http-status-503/feed/0Metadata Only Updates in SCCM 2012 R2 Consolehttp://blog.ctglobalservices.com/configuration-manager-sccm/heh/metadata-only-updates-in-sccm-2012-r2-console/
http://blog.ctglobalservices.com/configuration-manager-sccm/heh/metadata-only-updates-in-sccm-2012-r2-console/#commentsFri, 27 Mar 2015 10:45:41 +0000http://blog.coretech.dk/?p=8632Been a while since i blogged – but this i felt needed to come up.

But i just had a case where the WSUS had totally broken down, the SUSDB was gone and the SUP was gone. So the only option left was to start over with building a new WSUS and setting a new SUP to connect to this new WSUS.

(Remember to configure the WSUS IIS website SSL settings if you have a PKI solution implemented.)

But back to the Metadata Only Updates – all logs was not giving me any errors, warnings or information about why and where. I tried all the tricks in the book – removing SUP classifications, products and adding them again. Opened the WSUS console to see if there was some setting available to change updates from Metadata to Normal, even did a cleanup from WSUS. (Be carefull when working in the WSUS console, any configuration or change made in there can break the connection between WSUS and the SCCM SUP)

Further more i saw that going forward, the updates that where released or revised after the time of the incident was coming in as Normal updates, so this was not a problem going forward – it was just isolated to a bunch of updates that for some historical reason had been deemed as Metadata Only in the SCCM database.

Only thing left was to go into the database, and i cannot tell you how important it is to be carefull when venturing into the SCCM database! Test in a lab first, have a backup of your database ready and be miniscule in everything you do.

I looked everywhere for a solution to just change the update from Metadata Only to Normal but i didnt find anything that could reassure me that would work, so only option was to delete the Update CI’s in the SCCM database and then do a full sync of WSUS.

First of all go into the SCCM console, and in the All Software Updates view add the column Unique Update ID. This will give you the ID of the updates you need to work with.

Take the Unique Update ID and do a select to verify the object in the database.

select * from CI_ConfigurationItems where CI_UniqueID = 'id_value'

After having verified the object in the database then insert the Unique Update ID with the id_value in the actions below and execute one line at the time.

update CI_ConfigurationItems set IsExpired=1 where CI_UniqueID = 'id_value'
delete CI_ConfigurationItemRelations where ToCI_ID in (select CI_ID from CI_ConfigurationItems where CI_UniqueID = 'id_value')
delete CI_AssignmentTargetedCIs where CI_ID in (select CI_ID from CI_ConfigurationItems where CI_UniqueID = 'id_value')
delete CI_ConfigurationItems where CI_UniqueID = 'id_value'
delete CI_CIDocuments where CI_ID not in (select CI_ID from CI_ConfigurationItems)
delete CI_DocumentStore where Document_ID not in (select Document_ID from CI_CIDocuments)

When all is done then run a full sync of the WSUS from a PowerShell console started from the SCCM console (this way PowerShell automatically connects to SCCM).

Sync-CMSoftwareUpdate -FullSync $true

Hope this helps someone.

]]>http://blog.ctglobalservices.com/configuration-manager-sccm/heh/metadata-only-updates-in-sccm-2012-r2-console/feed/2Troubleshooting Workgroup Clients with PKI not talking with MPhttp://blog.ctglobalservices.com/configuration-manager-sccm/heh/troubleshooting-workgroup-clients-with-pki-not-talking-with-mp/
http://blog.ctglobalservices.com/configuration-manager-sccm/heh/troubleshooting-workgroup-clients-with-pki-not-talking-with-mp/#commentsThu, 21 Aug 2014 12:32:47 +0000http://blog.coretech.dk/?p=7747I had a ConfigMgr 2012 R2 case going on for a while with Workgroup clients in a DMZ zone that wouldn’t communicate with the Management Point.

A PKI infrastructure was in place and running, and the ConfigMgr Client was installing fine on these workgroup clients – but when the time came for the client to start talking with the Management Point i had numerous errors in LocationService.log and ClientIDManagerStartup.log and in a couple of other logs.

Pretty sure that I had all the right certificates in place! (Turned out i didn’t!)

Depending on the Certification Authority structure you have there are some rules when the Workgroup client must authenticate its PKI certificate. With a single CA as a Root CA the certificate must be in the “Trusted Root Certification Authorities”, but if you have a multiple CA structure with a Root CA and underlying Issuer CA’s then the Issuer CA must also be in the “Intermediate Certification Authorities” store. (This all goes on in the Local Computer Certificate location ofc.)

In most cases when you export a certificate for use on an out of reach CA you are presented with the option to “Include all certificates in the certification path if possible”, and rightly so, these Root & Issuer CA’s are exported with the PKI certificate.

But but but but, what I saw was that both certificates, the Root CA & the Issuer CA was located in the “Trusted Root Certification Authorities” store – so the fix to this whole problem was to get that Issuer CA certificate down into the “Intermediate Certification Authorities” store and after a minute or two, or a restart of the “SMS Agent Host” Service i saw the logs files starting to pass through these errors and connect to the MP and start downloading policies etc. etc.

So to sum up – make sure that if you have a CA structure with more than one level, and see these errors, then make sure your CA certificates are placed properly!

]]>http://blog.ctglobalservices.com/configuration-manager-sccm/heh/troubleshooting-workgroup-clients-with-pki-not-talking-with-mp/feed/1Create ConfigMgr 2012 R2 Collections with Powershellhttp://blog.ctglobalservices.com/powershell/heh/create-sccm-2012-r2-collections-with-powershell/
http://blog.ctglobalservices.com/powershell/heh/create-sccm-2012-r2-collections-with-powershell/#commentsTue, 18 Feb 2014 13:07:36 +0000http://blog.coretech.dk/?p=7267I know we have migrations tools and other built-in options when we want to build a new ConfigMgr environment. But Microsoft have given us Powershell, and there are some really cool cmdlets that we can utilize.

I’ve had a couple of examples lately where i had to create 100+ collections from scratch – or basicly from just a list of applications… And instead of doing that by hand i would much rather do it with Powershell, and save my poor fingers alot of clicking and typing.

Note: If you want incremental updating enabled on the Collections you can set the –RefreshType to Both instead of Periodic.

Now there might be some Powershell guru out there saying – pfft i can do that much better by creating some automation and check’s and UI maybe even. But for normal beings like me this might be helpfull to a some.

(The same goes for the use of scripts in Detection Methods when we create Application Deployment Types.)

Since the new colour fashion in scripting today is blue, i guess the popular choice would be PowerShell. On a serious note – PowerShell is now everywhere, just ask my buddy Kaido Järvemets.

And in this example i will be checking for a setting on the clients that have the AppV Client installed. With AppV 5.0 everything is done by PowerShell so it would be natural to also go down that road with this. The setting i want to check up on is the EnablePackageScripts on the AppV Client, in order to deploy and execute AppV packages from CM2012 we will need this to be set to True.

Again – this is mostly to show what we can actually do with the whole Configuration Item and Baseline options.

Step 1. Give the Configuration Item a name, and maybe assign some categories to it.

Step 2. Specify the Operating System you want this to run on.

Step 3. Add a new Settings to the Configuration Item, in the list of different Setting choices click Scripts you will see the layout changing.

Step 4. Enter a Name, Add the following PowerShell command as the Discovery Script and select the correct Data Type.

Step 5. Still in the Create Setting Window go to the Compliance Rules tab and add the rule we want de define the compliancy on.

(In this case the Boolean can only be either True or False, the PowerShell translates this to either 0 or 1)

Step 6. Once you are done defining the script setting and the compliancy rule go trough the last steps and finish the Configuration Item, remember to set the severity.

Done – and deploy the Configuration Item via an Baseline to a collection.

IMPORTANT:

Now if you havent done any configurations to the CM2012 Client Setting or to a GPO policy that lets you execute unsigned PowerShell scripts then this will fail with error 0x87D00327 that means the script is not Signed, which is true. And for CM2012 SP1 the default Client Setting is only to allow “All Signed” PowerShell scripts to execute. We have 3 options in the CM2012 Client Settings:

Bypass: The Configuration Manager client bypasses the Windows PowerShell configuration on the client computer so that unsigned scripts can run.

Restricted: the Configuration Manager client uses the current Windows PowerShell configuration on the client computer, which determines whether unsigned scripts can run.

All Signed (System Center 2012 R2 Configuration Manager and System Center 2012 Configuration Manager SP1 only): The Configuration Manager client runs scripts only if they are signed by a trusted publisher. This restriction applies independently from the current Windows PowerShell configuration on the client computer.

Keep in mind that the CM2012 Client Setting is only execution scripts via the Client Agent. Its not a general setting configured onto the Client, for that you will need a GPO. And additionally the secure way would ofcourse be to sign all your PowerShell scripts with a certificate added to Trusted Publisher on the clients.

Now all you do in what i just shared above is that you look for the setting and report back whether the client is compliant or not, you could also define a remediation script that would then correct the setting for you.

To give another example with the remediation option, for you to use on your clients, could be the CM2012 Client Cache Size – in this example i remediate the Cache Size to something other then what the Client might have, or is supposed to have.

And you will need to enable “Run the specified remediation script…” in the Compliance Rule tab where you also define the Cache Size Value that you want as the compliance value.

Once again, happy Non-Compliance hunting.

]]>http://blog.ctglobalservices.com/configuration-manager-sccm/heh/configuration-items-and-baselines-using-scripts-powershell-example/feed/1Configuration Items and Baselines, Example: SCEP Client Compliancehttp://blog.ctglobalservices.com/configuration-manager-sccm/heh/configuration-items-and-baselines-example-scep-client-compliance/
http://blog.ctglobalservices.com/configuration-manager-sccm/heh/configuration-items-and-baselines-example-scep-client-compliance/#respondWed, 09 Oct 2013 08:08:27 +0000http://blog.coretech.dk/?p=6591This example will show you a way to get compliance data from your clients regarding the System Center Endpoint Protection 2012 Client.

Now, I’m aware that we through CM2012 reports and console views already have good tools to monitor the client states in regard to SCEP – but lets say you have another antimalware product and would like some compliance info from the clients inserted into CM2012 that you then can use to create reports etc.

The principals are the same.

First of all you will need to create configuration Items in the CM2012 Console – these items will hold the setting criteria we hold up against the clients.

Step 1. Give the Configuration Item a name, and maybe assign some categories to it.

Step 2. Specify the Operating System you want this to run on.

Step 3. Add 3 new Settings to the Configuration Item, these Settings will be the items that we check for on the Clients.

Setting 1: Does the SCEP service executable exist on the client and does it have the correct file version.

Setting 2: Is that Installation State a correct Registry Value.

Setting 3: is the Installation StateCode a correct Registry Value.

*Note: The 3 settings and their values are mainly found in the C:\Windows\CCM\Logs\EndpointProtectionAgent.log.

Step 4. After having created the 3 settings you will see the compliance rules for all the settings, depending on what you look for it might be a good idea to change the serverity level of rule if its non-compliant.

A couple of Next clicks, and you are done.

All that remains are for you to add the Configuration Item to a Baseline and deploy it to a collection of clients, or maybe to add it to an already running “Standard Client Security” Baseline if have that running. A word of caution though. When you create Configuration Items and Baseline’s – be mindfull of the remediation settings you can set, some things you might want to auto-remediate if supported and somethings you definately do not want to auto-remediate.

Again – like i said, CM2012 already have reports and console views available for you, so dont focus so much on the example being SCEP but on the principle of you getting wiser on some client setting or state that you want to know more about.

A result of these Compliant or Non-Compliant rules can be seen in reports or even in collections where you configure the query to look for the result of the Configuration Item. And you could then deploy some fix that would install automatically on clients that reported back as Non-Compliant f.ex.

]]>http://blog.ctglobalservices.com/configuration-manager-sccm/heh/configuration-items-and-baselines-example-scep-client-compliance/feed/0KB2828233 Update for System Center 2012 Endpoint Protectionhttp://blog.ctglobalservices.com/configuration-manager-sccm/heh/kb2828233-update-for-system-center-2012-endpoint-protection/
http://blog.ctglobalservices.com/configuration-manager-sccm/heh/kb2828233-update-for-system-center-2012-endpoint-protection/#commentsWed, 12 Jun 2013 14:59:26 +0000http://blog.coretech.dk/?p=5872Ok so this SCEP Update has been released some time ago, but i have seen and heard some confusion on how to get this Update installed properly into the ConfigMgr environments.

A SCUP catalog folder will also be placed in the ConfigMgr install folder “.\Program Files\Configuration Manager\hotfix\KB2828233\SCUP” for those of you that use SCUP for updating your Site Servers.

Update the scepinstall.exe file in the ConfigMgr install folder “.\Program Files\Configuration Manager\Client” to version 4.2.223.0 (Remember to right click your native “Configuration Manager Client Package” and update you Distribution Points)

Now… “Some of you are already thinking: I cant wait for the part of updating Endpoint Protection on the already in-place/installed clients!” And here it comes:

Its actually quite the anti climax, because in KB2828233 there is no update for you clients… So forget about KB2828233, or actually not –wait up! Because there are a couple of ways to update SCEP on your clients by using KB2828233 alone:

Manually update all your clients from the SCEP interface on your clients (If you only have 2 clients then thats ok – if you have more then 50 –> AVOID…)

Change ConfigMgr Site Settings to “Upgrade client automatically when new client updates are available” (I wouldnt do this either).

But here comes the anti climax – there’s an update available from Windows Updates… buuhhuuu

You can go to your Software Updates section and go into All Software Updates and find KB2831316 which actually is the Update for your clients (And this is what i would recommend you to do at anytime!)

So to sum up – Install KB2828233 as a server update and update the native “Configuration Manager Client Package” for the coming client deployments. And make sure KB2831316 is deployed to your active/in-place clients as a Windows Update via your normal Software Update process.